In a concerning development, Dutch officials have reported a Chinese cyber espionage campaign targeting dozens of Western governments. The attackers utilized sophisticated tactics, techniques, and procedures (TTPs) reminiscent of a previous campaign we observed in our deception environment. This recent attack underscores the persistent and evolving threat posed by state-sponsored cyber actors and highlights the need for robust cybersecurity measures.

First, we saw Russian actors exploiting vulnerabilities with the goal of gaining and maintaining  access in FortiGate devices, and now a Chinese-linked espionage campaign is doing the same. This dual exploitation by adversaries with significant cyber capabilities—often referred to as the “axis of evil” in cybersecurity circles—demonstrates the high value and effectiveness of these vulnerabilities. The fact that multiple state-sponsored actors are leveraging these TTPs underscores the critical need for proactive defenses.

The Chinese Exploitation Campaign

The recent campaign attributed to Chinese actors targeted critical infrastructure and government systems in the West. By exploiting vulnerabilities in widely used software, these actors aimed to infiltrate networks, gather intelligence, and potentially disrupt operations. The tactics observed in this campaign mirror those used by Russian actors in the past, particularly in their exploitation of Fortinet’s FortiOS vulnerabilities.

Russian Exploitation of FortiOS

Several months ago, Fortinet released security updates to address critical remote code execution vulnerabilities in FortiOS (CVE-2024-21762 and CVE-2024-23113). These vulnerabilities were severe enough to warrant an advisory from CISA, highlighting their potential for exploitation in the wild. At that time, our threat intelligence team conducted an in-depth investigation into these vulnerabilities and their implications.

In a notable incident, we detected exploitation of a similar vulnerability (CVE-2022-40684) in FortiOS SSL VPN. This vulnerability, with a CVSS score of 9.8, posed a significant threat to organizations relying on Fortinet appliances. Despite the high risk, detailed exploitation data was scarce.

Post-Exploit Threat Intel, Powered by Deception

Faced with limited information on the exploitation of CVE-2022-40684, our research team at CounterCraft set up a deception environment based on a FortiOS device vulnerable to authentication bypass. This environment simulated a vulnerable organization, effectively luring attackers and capturing their exploit attempts. The results were immediate and insightful.

Within a week of deploying our deception environment, we observed targeted exploitation of the simulated vulnerability. Our advanced deception platform enabled us to deconstruct the exploit, gathering critical details about the attackers’ methods and objectives. This approach provided us with valuable intelligence that could inform defensive strategies and improve overall cybersecurity resilience.

The timeline of the attack on our deception environment revealed the precise methods used by the attackers. By capturing detailed forensic data, we were able to trace the exploit’s progression, identify the processes it invoked, and uncover the Russian IP address to which it communicated. This level of detail is crucial for understanding the full scope of the threat and developing effective countermeasures.

A Call to Action

The repeated use of these TTPs by both Russian and Chinese actors highlights the urgency of implementing robust cybersecurity measures. Organizations using vulnerable systems, particularly those running FortiOS, must take proactive steps to protect themselves. While Fortinet provides security updates, they do not offer the capability to build deception environments that can capture post-exploitation threat intelligence and movements.

At CounterCraft, we have demonstrated how easy it is to build a deception environment that lures attackers, captures their activities, and provides actionable intelligence. From zero to results in less than a week, our technology has proven effective in uncovering sophisticated threats.

From zero to results in less than a week, our technology has proven effective in uncovering sophisticated threats.

Get the Insights You Need

If you are concerned about these vulnerabilities and want to protect your organization, we can help. Our detailed forensic playout of the exploit, captured in a JSON file, provides comprehensive insights into the attackers’ methods and objectives. This information is invaluable for enhancing your cybersecurity defenses.

To receive the JSON file with the detailed forensic analysis of the Russian behavior we observed, get in touch with us.

Our deception technology not only provides critical threat intelligence but also demonstrates our capability to detect and analyze both Russian and Chinese cyber activities.

The dynamic cybersecurity landscape requires continuous vigilance and advanced tools to navigate its complexities. By leveraging deception technology, we can gain deep insights into adversaries’ tactics and improve our defensive strategies. Protect your organization by staying informed and proactive. Reach out to us to learn more about how our deception technology can work for you.

Request access to the detailed forensic playout of the exploit.
Richard Barrell is the Head of Product Management, responsible for the company’s product development and threat intel

Richard Barrell is the Head of Product Management, responsible for the company’s product development and growth. Follow him on LinkedIn.